UMA telecon 2021-10-21

Date and Time



Roll call

Approve minutes


IIW closing thoughts

(see initial thoughts from last weeks minutes)

FHIR Vulnerability Review

and how UMA could address, maybe a 1-2 page position

Summary of articles: a white-hat security company ( have looked at some health care mobile applications that access FHIR apis. Patients were authenticating against the API/EHR, however the applications were able to access all FHIR data regardless of the authenticated user. There were also issues raised around static client credentials embedded in the mobile applications (public SMART on FHIR app using confidential client creds?)

want to avoid a 'shut down access' reactive response

Potential Outline:

application of provider authZ setup to patient access

difference of patient/*.* (what they should've done) and user/*.* (what they did)

Patient empowerment group (hl7 group) is meeting and the article writer is presenting these findings.

Let's use confluence, Alec will create a page and move these notes over then share the link on the mailing list


Conference roundup

In person is coming back!

Topic Candidates (from previous week's telcon)


As of October 26, 2020, quorum is 5 of 9. (Michael, Domenico, Peter, Sal, Thomas, Andi, Alec, Eve, Steve)


  1. Eve
  2. Alec
  3. Domenico

Non-voting participants:

  1. Scott G, working with Healthcare team at Forgerock
  2. Nancy
  3. Vladimir
  4. Scott 


  1. Steve